[exim] Handling TLSv1 and not SSLv3: tls_protocols ?

Top Page
Delete this message
Reply to this message
Author: Kurt Jaeger
Date:  
To: exim-users
Subject: [exim] Handling TLSv1 and not SSLv3: tls_protocols ?
Hi!

I'm trying to configure exim to not accept SSLv3 protocol connections.

With exim, there's only tls_require_ciphers which does not allow
to disable SSLv3 in a similar fashion.
Well, it *does* allow '!SSLv3', but then TLSv1 fails as well.

This can be tested using cnark:

http://blog.techstacks.com/cryptonark.html
http://www.techstacks.com/files/cnark-v0.5.6.tar.gz

and calling the cnark script:

cnark -h my-test-host -p 465 --insecure

Case 1, disable SSLv3:

tls_require_ciphers = HIGH:!SSLv2:!SSLv3:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

cnark gives:

[...]
Testing SSLv3 Ciphers...

Testing TLSv1 Ciphers...

Testing TLSv1.2 Ciphers...
[...]

Case 2, disable only SSLv2:

tls_require_ciphers = HIGH:!SSLv2:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

cnark gives:

[...]
Testing SSLv3 Ciphers...
    DHE-RSA-AES256-SHA -- 256 bits, High Encryption, Forward Secrecy
    AES256-SHA -- 256 bits, High Encryption
    DHE-RSA-AES128-SHA -- 128 bits, High Encryption, Forward Secrecy
    AES128-SHA -- 128 bits, High Encryption


Testing TLSv1 Ciphers...
    DHE-RSA-AES256-SHA -- 256 bits, High Encryption, Forward Secrecy
    AES256-SHA -- 256 bits, High Encryption
    DHE-RSA-AES128-SHA -- 128 bits, High Encryption, Forward Secrecy
    AES128-SHA -- 128 bits, High Encryption


Testing TLSv1.2 Ciphers...
[...]

With dovecot, besides ssl_cipher_list there's a ssl_protocols field,
as described in:

http://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls
-handshaking-failed-no-shared-cipher

So setting 'ssl_protocols = !SSlv2 !SSLv3' allows to disable SSLv3.

This is implemented in dovecot-2.2.15 in

dovecot-2.2.15/src/lib-ssl-iostream/iostream-openssl-common.c

with a function openssl_get_protocol_options and maybe exim needs something
similar ?

-- 
pi@???            +49 171 3101372                         6 years to go !